|
Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs |
![]() |
|
Topic Tools |
#31
|
||||
|
||||
RootRepeal logs
Here are the RootRepeal logs. Hidden Services came up blank.
ROOTREPEAL (c) AD, 2007-2008 ================================================== Scan Time: 2009/05/10 17:42 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: 1394BUS.SYS Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS Address: 0xF7566000 Size: 57344 File Visible: - Status: - Name: ABP480N5.SYS Image Path: ABP480N5.SYS Address: 0xF774F000 Size: 23552 File Visible: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xF75A7000 Size: 188544 File Visible: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2265088 File Visible: - Status: - Name: adpu160m.sys Image Path: adpu160m.sys Address: 0xF787E000 Size: 101888 File Visible: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xAFAB9000 Size: 138496 File Visible: - Status: - Name: agp440.sys Image Path: agp440.sys Address: 0xF7556000 Size: 42368 File Visible: - Status: - Name: agpCPQ.sys Image Path: agpCPQ.sys Address: 0xF7526000 Size: 44928 File Visible: - Status: - Name: aha154x.sys Image Path: aha154x.sys Address: 0xF789F000 Size: 12800 File Visible: - Status: - Name: aic78u2.sys Image Path: aic78u2.sys Address: 0xF7657000 Size: 55168 File Visible: - Status: - Name: aic78xx.sys Image Path: aic78xx.sys Address: 0xF7627000 Size: 56960 File Visible: - Status: - Name: aliide.sys Image Path: aliide.sys Address: 0xF798B000 Size: 5248 File Visible: - Status: - Name: alim1541.sys Image Path: alim1541.sys Address: 0xF7546000 Size: 42752 File Visible: - Status: - Name: amdagp.sys Image Path: amdagp.sys Address: 0xF7536000 Size: 43008 File Visible: - Status: - Name: amsint.sys Image Path: amsint.sys Address: 0xF78AB000 Size: 12032 File Visible: - Status: - Name: arp1394.sys Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys Address: 0xF7427000 Size: 60800 File Visible: - Status: - Name: asc.sys Image Path: asc.sys Address: 0xF771F000 Size: 26496 File Visible: - Status: - Name: asc3350p.sys Image Path: asc3350p.sys Address: 0xF7757000 Size: 22400 File Visible: - Status: - Name: asc3550.sys Image Path: asc3550.sys Address: 0xF78AF000 Size: 14848 File Visible: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xF74A7000 Size: 96512 File Visible: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys Address: 0xBA763000 Size: 3072 File Visible: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xF79D1000 Size: 4224 File Visible: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xF7897000 Size: 12288 File Visible: - Status: - Name: cbidf2k.sys Image Path: cbidf2k.sys Address: 0xF78B7000 Size: 13952 File Visible: - Status: - Name: cd20xrnt.sys Image Path: cd20xrnt.sys Address: 0xF7995000 Size: 7680 File Visible: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xBAEFD000 Size: 63744 File Visible: - Status: - Name: Cdr4_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS Address: 0xF7ABC000 Size: 2432 File Visible: - Status: - Name: Cdralw2k.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdralw2k.SYS Address: 0xF7ABD000 Size: 2560 File Visible: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys Address: 0xBA350000 Size: 62976 File Visible: - Status: - Name: cdudf_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\cdudf_xp.SYS Address: 0xAFC74000 Size: 259712 File Visible: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS Address: 0xF76B7000 Size: 53248 File Visible: - Status: - Name: cmdide.sys Image Path: cmdide.sys Address: 0xF798D000 Size: 6656 File Visible: - Status: - Name: cmuda.sys Image Path: C:\WINDOWS\system32\drivers\cmuda.sys Address: 0xB9F2B000 Size: 1368000 File Visible: - Status: - Name: cpqarray.sys Image Path: cpqarray.sys Address: 0xF789B000 Size: 14976 File Visible: - Status: - Name: dac2w2k.sys Image Path: dac2w2k.sys Address: 0xF7852000 Size: 179584 File Visible: - Status: - Name: dac960nt.sys Image Path: dac960nt.sys Address: 0xF78A7000 Size: 14720 File Visible: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xF76A7000 Size: 36352 File Visible: - Status: - Name: dpti2o.sys Image Path: dpti2o.sys Address: 0xF775F000 Size: 20192 File Visible: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xBA320000 Size: 61440 File Visible: - Status: - Name: dvd_2K.SYS Image Path: C:\WINDOWS\System32\Drivers\dvd_2K.SYS Address: 0xBADCB000 Size: 20832 File Visible: - Status: - Name: DVDVRRdr_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS Address: 0xAFC3E000 Size: 146560 File Visible: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xAFBCD000 Size: 12288 File Visible: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF9C3000 Size: 73728 File Visible: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xBA9BB000 Size: 4096 File Visible: - Status: - Name: e100b325.sys Image Path: C:\WINDOWS\System32\DRIVERS\e100b325.sys Address: 0xBA0CD000 Size: 145408 File Visible: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys Address: 0xF777F000 Size: 27392 File Visible: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xBAF4D000 Size: 44672 File Visible: - Status: - Name: flpydisk.sys Image Path: C:\WINDOWS\System32\DRIVERS\flpydisk.sys Address: 0xBADBB000 Size: 20480 File Visible: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xF7832000 Size: 129792 File Visible: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xF79CF000 Size: 7936 File Visible: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xF74D7000 Size: 125696 File Visible: - Status: - Name: GEARAspiWDM.sys Image Path: C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys Address: 0xBADFB000 Size: 28672 File Visible: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x80700000 Size: 134400 File Visible: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS Address: 0xBAEDD000 Size: 36864 File Visible: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS Address: 0xF779F000 Size: 28672 File Visible: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\system32\DRIVERS\hidusb.sys Address: 0xAFDB9000 Size: 10368 File Visible: - Status: - Name: hpn.sys Image Path: hpn.sys Address: 0xF776F000 Size: 25952 File Visible: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xAF0E4000 Size: 264832 File Visible: - Status: - Name: i2omgmt.SYS Image Path: C:\WINDOWS\System32\Drivers\i2omgmt.SYS Address: 0xBA7B0000 Size: 8576 File Visible: - Status: - Name: i2omp.sys Image Path: i2omp.sys Address: 0xF772F000 Size: 18560 File Visible: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys Address: 0xF7487000 Size: 53504 File Visible: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys Address: 0xBA330000 Size: 42112 File Visible: - Status: - Name: ini910u.sys Image Path: ini910u.sys Address: 0xF78B3000 Size: 16000 File Visible: - Status: - Name: intelide.sys Image Path: intelide.sys Address: 0xF7993000 Size: 5504 File Visible: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys Address: 0xBAD2B000 Size: 40448 File Visible: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys Address: 0xAFB2B000 Size: 152832 File Visible: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys Address: 0xAFBAA000 Size: 75264 File Visible: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xF75F7000 Size: 37760 File Visible: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys Address: 0xBADDB000 Size: 25088 File Visible: - Status: - Name: kbdhid.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys Address: 0xAFDB1000 Size: 14720 File Visible: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xF7987000 Size: 8192 File Visible: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xADFBF000 Size: 172416 File Visible: - Status: - Name: ks.sys Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys Address: 0xBA096000 Size: 143360 File Visible: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xF795E000 Size: 92288 File Visible: - Status: - Name: Lbd.sys Image Path: Lbd.sys Address: 0xF76C7000 Size: 57472 File Visible: - Status: - Name: mbr.sys Image Path: C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys Address: 0xAFB13000 Size: 11776 File Visible: No Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xF79D3000 Size: 4224 File Visible: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys Address: 0xBAE03000 Size: 23552 File Visible: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xF7607000 Size: 42368 File Visible: - Status: - Name: mraid35x.sys Image Path: mraid35x.sys Address: 0xF7727000 Size: 17280 File Visible: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys Address: 0xAF14D000 Size: 180608 File Visible: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys Address: 0xAF97E000 Size: 455296 File Visible: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xF77AF000 Size: 19072 File Visible: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys Address: 0xBA2E0000 Size: 35072 File Visible: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys Address: 0xBAE37000 Size: 15488 File Visible: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xBAEA3000 Size: 105344 File Visible: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xF7A0F000 Size: 182656 File Visible: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys Address: 0xBAE43000 Size: 10112 File Visible: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys Address: 0xAF43A000 Size: 14592 File Visible: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys Address: 0xB9EF0000 Size: 91520 File Visible: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xBA2C0000 Size: 40576 File Visible: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys Address: 0xF7437000 Size: 34688 File Visible: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys Address: 0xAFADB000 Size: 162816 File Visible: - Status: - Name: nic1394.sys Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys Address: 0xF7497000 Size: 61824 File Visible: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xF77B7000 Size: 30848 File Visible: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xF7B52000 Size: 574976 File Visible: - Status: - Name: ntoskrnl.exe Image Path: C:\WINDOWS\system32\ntoskrnl.exe Address: 0x804D7000 Size: 2265088 File Visible: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xF7ABE000 Size: 2944 File Visible: - Status: - Name: nv4_disp.dll Image Path: C:\WINDOWS\System32\nv4_disp.dll Address: 0xBF9D5000 Size: 3903488 File Visible: - Status: - Name: nv4_mini.sys Image Path: C:\WINDOWS\System32\DRIVERS\nv4_mini.sys Address: 0xBA129000 Size: 1275168 File Visible: - Status: - Name: nvcap.sys Image Path: C:\WINDOWS\System32\DRIVERS\nvcap.sys Address: 0xAF593000 Size: 115104 File Visible: - Status: - Name: nvtunep.sys Image Path: C:\WINDOWS\System32\DRIVERS\nvtunep.sys Address: 0xB9E59000 Size: 19008 File Visible: - Status: - Name: nvtvsnd.sys Image Path: C:\WINDOWS\System32\DRIVERS\nvtvsnd.sys Address: 0xB9E61000 Size: 19712 File Visible: - Status: - Name: NVxbar.sys Image Path: C:\WINDOWS\System32\DRIVERS\NVxbar.sys Address: 0xAFB1F000 Size: 12192 File Visible: - Status: - Name: ohci1394.sys Image Path: ohci1394.sys Address: 0xF7576000 Size: 61696 File Visible: - Status: - Name: P1120Vid.sys Image Path: C:\WINDOWS\system32\DRIVERS\P1120Vid.sys Address: 0xAFCE8000 Size: 754528 File Visible: - Status: - Name: parport.sys Image Path: C:\WINDOWS\System32\DRIVERS\parport.sys Address: 0xBA0B9000 Size: 80256 File Visible: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xF770F000 Size: 19712 File Visible: - Status: - Name: ParVdm.SYS Image Path: C:\WINDOWS\System32\Drivers\ParVdm.SYS Address: 0xAFCC4000 Size: 6912 File Visible: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xF7596000 Size: 68224 File Visible: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xF7A4F000 Size: 3328 File Visible: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS Address: 0xF7707000 Size: 28672 File Visible: - Status: - Name: perc2.sys Image Path: perc2.sys Address: 0xF7767000 Size: 27296 File Visible: - Status: - Name: perc2hib.sys Image Path: perc2hib.sys Address: 0xF7997000 Size: 5504 File Visible: - Status: - Name: pfc.sys Image Path: C:\WINDOWS\system32\drivers\pfc.sys Address: 0xBAE4F000 Size: 9856 File Visible: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2265088 File Visible: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xB9F07000 Size: 147456 File Visible: - Status: - Name: psched.sys Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys Address: 0xB9EDF000 Size: 69120 File Visible: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys Address: 0xBADEB000 Size: 17792 File Visible: - Status: - Name: pwd_2k.SYS Image Path: C:\WINDOWS\System32\Drivers\pwd_2k.SYS Address: 0xBA079000 Size: 116480 File Visible: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xF76D7000 Size: 36320 File Visible: - Status: - Name: ql1080.sys Image Path: ql1080.sys Address: 0xF7677000 Size: 40320 File Visible: - Status: - Name: ql10wnt.sys Image Path: ql10wnt.sys Address: 0xF7637000 Size: 33152 File Visible: - Status: - Name: ql12160.sys Image Path: ql12160.sys Address: 0xF7697000 Size: 45312 File Visible: - Status: - Name: ql1240.sys Image Path: ql1240.sys Address: 0xF7647000 Size: 40448 File Visible: - Status: - Name: ql1280.sys Image Path: ql1280.sys Address: 0xF7687000 Size: 49024 File Visible: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys Address: 0xB8EFD000 Size: 8832 File Visible: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys Address: 0xBA310000 Size: 51328 File Visible: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys Address: 0xBA300000 Size: 41472 File Visible: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys Address: 0xBA2F0000 Size: 48384 File Visible: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys Address: 0xBADE3000 Size: 16512 File Visible: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2265088 File Visible: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys Address: 0xAF9EE000 Size: 175744 File Visible: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xF79D5000 Size: 4224 File Visible: - Status: - |
#32
|
||||
|
||||
RootRepeal logs continued
Name: redbook.sys
Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys Address: 0xBA340000 Size: 58112 File Visible: - Status: - Name: rootrepeal.com.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.com.sys Address: 0xAEBBA000 Size: 45056 File Visible: No Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\SCSIPORT.SYS Address: 0xF74BF000 Size: 98304 File Visible: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys Address: 0xBAE53000 Size: 15744 File Visible: - Status: - Name: serial.sys Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys Address: 0xBAD1B000 Size: 65536 File Visible: - Status: - Name: sisagp.sys Image Path: sisagp.sys Address: 0xF7586000 Size: 40960 File Visible: - Status: - Name: siside.sys Image Path: siside.sys Address: 0xF799B000 Size: 6016 File Visible: - Status: - Name: sparrow.sys Image Path: sparrow.sys Address: 0xF7717000 Size: 19072 File Visible: - Status: - Name: sr.sys Image Path: sr.sys Address: 0xF7975000 Size: 73472 File Visible: - Status: - Name: srv.sys Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys Address: 0xAEFA2000 Size: 333952 File Visible: - Status: - Name: STREAM.SYS Image Path: C:\WINDOWS\system32\DRIVERS\STREAM.SYS Address: 0xF7457000 Size: 53248 File Visible: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys Address: 0xF79BB000 Size: 4352 File Visible: - Status: - Name: sym_hi.sys Image Path: sym_hi.sys Address: 0xF773F000 Size: 28384 File Visible: - Status: - Name: sym_u3.sys Image Path: sym_u3.sys Address: 0xF7747000 Size: 30688 File Visible: - Status: - Name: symc810.sys Image Path: symc810.sys Address: 0xF78A3000 Size: 16256 File Visible: - Status: - Name: symc8xx.sys Image Path: symc8xx.sys Address: 0xF7737000 Size: 32640 File Visible: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xAEC2A000 Size: 60800 File Visible: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys Address: 0xAFB51000 Size: 361600 File Visible: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS Address: 0xBADF3000 Size: 20480 File Visible: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys Address: 0xBA2D0000 Size: 40704 File Visible: - Status: - Name: toside.sys Image Path: toside.sys Address: 0xF798F000 Size: 4992 File Visible: - Status: - Name: UdfReadr_xp.SYS Image Path: C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS Address: 0xAFBF7000 Size: 213120 File Visible: - Status: - Name: UimFIO.SYS Image Path: C:\WINDOWS\System32\Drivers\UimFIO.SYS Address: 0xF79D7000 Size: 8192 File Visible: - Status: - Name: ulsata.sys Image Path: ulsata.sys Address: 0xF76F7000 Size: 64384 File Visible: - Status: - Name: ultra.sys Image Path: ultra.sys Address: 0xF7667000 Size: 36736 File Visible: - Status: - Name: update.sys Image Path: C:\WINDOWS\System32\DRIVERS\update.sys Address: 0xB9E81000 Size: 384768 File Visible: - Status: - Name: usbccgp.sys Image Path: C:\WINDOWS\system32\DRIVERS\usbccgp.sys Address: 0xF77CF000 Size: 32128 File Visible: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS Address: 0xF79C3000 Size: 8192 File Visible: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys Address: 0xF781F000 Size: 30208 File Visible: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys Address: 0xF7477000 Size: 59520 File Visible: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS Address: 0xBA0F1000 Size: 147456 File Visible: - Status: - Name: usbprint.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbprint.sys Address: 0xF77C7000 Size: 25856 File Visible: - Status: - Name: USBSTOR.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS Address: 0xF77DF000 Size: 26368 File Visible: - Status: - Name: usbuhci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbuhci.sys Address: 0xF7817000 Size: 20608 File Visible: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xF77A7000 Size: 20992 File Visible: - Status: - Name: viaagp.sys Image Path: viaagp.sys Address: 0xF76E7000 Size: 42240 File Visible: - Status: - Name: viaide.sys Image Path: viaide.sys Address: 0xF7991000 Size: 5376 File Visible: - Status: - Name: viaidexp.sys Image Path: viaidexp.sys Address: 0xF7999000 Size: 6144 File Visible: - Status: - Name: viasraid.sys Image Path: viasraid.sys Address: 0xBAF5D000 Size: 75904 File Visible: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\VIDEOPRT.SYS Address: 0xBA115000 Size: 81920 File Visible: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xF7617000 Size: 53504 File Visible: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys Address: 0xF7447000 Size: 34560 File Visible: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xB9E79000 Size: 20480 File Visible: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xAEB2D000 Size: 83072 File Visible: - Status: - Name: WDMCAPI.sys Image Path: WDMCAPI.sys Address: 0xBAF70000 Size: 587776 File Visible: - Status: - Name: wdmwanmp.sys Image Path: C:\WINDOWS\System32\DRIVERS\wdmwanmp.sys Address: 0xBADD3000 Size: 26112 File Visible: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\System32\DRIVERS\WMILIB.SYS Address: 0xF7989000 Size: 8192 File Visible: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2265088 File Visible: - Status: - Name: WudfPf.sys Image Path: WudfPf.sys Address: 0xF7A3C000 Size: 77568 File Visible: - Status: - +++++++++++++++++++++++++++++++++ ROOTREPEAL (c) AD, 2007-2008 ================================================== Scan Time: 2009/05/10 17:43 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Stealth Objects ------------------- Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_READ] Process: System Address: 0x00000000 Size: - Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_WRITE] Process: System Address: 0x00000000 Size: - +++++++++++++++++++++++++++++++++++ ROOTREPEAL (c) AD, 2007-2008 ================================================== Scan Time: 2009/05/10 17:43 Program Version: Version 1.2.3.0 Windows Version: Windows XP SP3 ================================================== Hidden Services ------------------- +++++++++++++++++++++++++++++++++++ That's it! Hope it makes some sense to you. ![]() |
#33
|
||||
|
||||
Not enough sense right now. I will need to review all the info and consider what is involved there, as well as asking others for their input.
For now, run one additional scan and post those results, but I will not likely provide any further assessments until later today (my time). FYI - it may display certain items not being found during the scan, which is normal. Go here and download reglooks.exe to your Desktop. Doubleclick on it to run it and when it has finished scanning, a log named result.txt will open in Notepad. Copy the log and post it in this thread. |
#34
|
||||
|
||||
RegLooks scan log
Jintan:
Here are the RegLooks scan results. REGLOOKS logfile - version 0.980 Scan started: 10/05/2009 18:33:02.23 --- INFORMATION --- Operating System: Microsoft Windows XP Home Edition - version 5.1.2600 - Service Pack 3 Bootmode: Normal boot User: Dad (Administrator account) TOTAL RAM: 2047 MB (free 1667 MB - 81%) --- SIGCHECK --- C:\WINDOWS\explorer.exe -- [1037312] -- [14/04/2008 19:02] -- sigcheck OK C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [14/04/2008 19:02] -- sigcheck OK C:\WINDOWS\system32\lsass.exe -- [13312] -- [14/04/2008 19:03] -- sigcheck OK C:\WINDOWS\system32\ntkrnlpa.exe -- [2028544] -- [09/02/2009 13:27] -- sigcheck OK C:\WINDOWS\system32\ntoskrnl.exe -- [2149888] -- [09/02/2009 13:27] -- sigcheck OK C:\WINDOWS\system32\services.exe -- [111104] -- [09/02/2009 13:27] -- sigcheck OK C:\WINDOWS\system32\sfcfiles.dll -- [1571840] -- [14/04/2008 19:02] -- sigcheck OK C:\WINDOWS\system32\spoolsv.exe -- [57856] -- [14/04/2008 19:03] -- sigcheck OK C:\WINDOWS\system32\svchost.exe -- [14336] -- [14/04/2008 19:03] -- sigcheck OK C:\WINDOWS\system32\termsrv.dll -- [297472] -- [14/04/2008 19:02] -- sigcheck OK C:\WINDOWS\system32\user32.dll -- [580096] -- [14/04/2008 19:02] -- sigcheck OK C:\WINDOWS\system32\userinit.exe -- [26112] -- [14/04/2008 19:03] -- sigcheck OK C:\WINDOWS\system32\wininet.dll -- [826368] -- [03/03/2009 02:16] -- sigcheck OK C:\WINDOWS\system32\winlogon.exe -- [510464] -- [14/04/2008 19:03] -- sigcheck OK C:\WINDOWS\system32\ws2_32.dll -- [82432] -- [14/04/2008 19:02] -- sigcheck OK C:\WINDOWS\system32\wuauclt.exe -- [51224] -- [16/10/2008 15:09] -- sigcheck OK C:\WINDOWS\system32\drivers\ip6fw.sys -- [36608] -- [13/04/2008 20:53] -- sigcheck OK C:\WINDOWS\system32\drivers\ndis.sys -- [182656] -- [13/04/2008 21:20] -- sigcheck OK C:\WINDOWS\system32\drivers\tcpip.sys -- [361600] -- [20/06/2008 13:51] -- sigcheck OK --- SSODL regkeys --- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?] "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?] "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: C:\WINDOWS\system32\webcheck.dll -- [233472] -- [20/02/2009 19:18] "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: C:\WINDOWS\System32\stobject.dll -- [122368] -- [14/04/2008 19:02] "WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -- File: C:\WINDOWS\system32\WPDShServiceObj.dll -- [133632] -- [18/10/2006 22:47] --- STS regkeys --- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Preloader van browseui" -- File: %SystemRoot%\System32\browseui.dll -- [?] "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Cache-daemon voor onderdeelcategorieën" -- File: %SystemRoot%\System32\browseui.dll -- [?] --- USERINIT regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Userinit"="C:\\WINDOWS\\system32\\userinit.ex e," File: C:\WINDOWS\system32\userinit.exe -- [26112] -- [14/04/2008 19:03] --- SHELL regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell"="Explorer.exe" File: C:\WINDOWS\Explorer.exe -- [1037312] -- [14/04/2008 19:02] --- SYSTEM regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "System"="" --- APPINIT_DLLS regkey --- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLs"="" --- NOTIFY regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain] -- File: C:\WINDOWS\system32\crypt32.dll -- [602624] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet] -- File: C:\WINDOWS\system32\cryptnet.dll -- [64512] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll] -- File: C:\WINDOWS\system32\cscdll.dll -- [102400] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy] -- File: %SystemRoot%\System32\dimsntfy.dll -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp] -- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule] -- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy] -- File: C:\WINDOWS\system32\sclgntfy.dll -- [21504] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn] -- File: C:\WINDOWS\system32\WlNotify.dll -- [93696] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv] -- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] -- File: C:\WINDOWS\system32\WgaLogon.dll -- [236928] -- [15/03/2007 18:16] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon] -- File: C:\WINDOWS\system32\wlnotify.dll -- [93696] -- [14/04/2008 19:02] --- RUN / LOAD regkeys --- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] "load"="" [Windows\Load] --- SHELLEXECUTEHOOKS regkey --- [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?] --- HKLM AUTORUN regkeys --- [HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor] "AutoRun"="" --- HKCU AUTORUN regkeys --- [HKEY_CURRENT_USER\Software\Microsoft\Command Processor] no AutoRun regkey found --- HKLM\RUN regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NVIDIA Remote Control Panel" -- File: NVAREM.EXE /S /Q /R /L /A1 /B0 /C0 /D2 /E0 -- [?] "RoxioEngineUtility" -- File "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" -- [65536] -- [01/05/2003 18:44] "Adobe Photo Downloader" -- File "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" -- [57344] -- [06/06/2005 23:46] "Ad-Watch" -- File: C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe -- [?] "MSConfig" -- File: C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto -- [?] --- HKLM\RUNONCE regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce] no runonce values found --- HKLM\RUNONCEEX regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnceEx] no runonceex values found --- HKLM\RUNSERVICES regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServices] key not found --- HKLM\RUNSERVICESONCE regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunServicesOnce] no runservicesonce values found --- HKCU\RUN regkey --- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS" -- File: "C:\Program Files\Messenger\msmsgs.exe" /background -- [?] "TomTomHOME.exe" -- File "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe" -- [251240] -- [18/03/2009 02:03] "ctfmon.exe" -- File C:\WINDOWS\system32\ctfmon.exe -- [15360] -- [14/04/2008 19:02] "WMPNSCFG" -- File C:\Program Files\Windows Media Player\WMPNSCFG.exe -- [204288] -- [18/10/2006 21:05] --- HKCU\RUNONCE regkey --- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce] no runonce values found --- HKCU\RUNONCEEX regkey --- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnceEx] no runonceex values found --- HKCU\RUNSERVICES regkey --- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServices] key not found --- HKCU\RUNSERVICESONCE regkey --- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunServicesOnce] no runservicesonce values found --- HKU\.DEFAULT\Run regkeys - Default user --- [HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02] "NvMediaCenter" -- File: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit -- [?] --- HKU\S-1-5-18\Run regkeys - user SYSTEM --- [HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02] "NvMediaCenter" -- File: RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit -- [?] --- HKU\S-1-5-19\Run regkeys - User Lokale service --- [HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02] --- HKU\S-1-5-20\Run regkeys - User Lokale service --- [HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE" -- File C:\WINDOWS\System32\CTFMON.EXE -- [15360] -- [14/04/2008 19:02] --- HKLM\Explorer\Run regkeys --- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Policies\Explorer\Run] no run values found --- HKCU\Explorer\Run regkeys --- [HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Policies\Explorer\Run] no run values found --- Image File Execution regkeys --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options] no debuggers found --- BROWSER HELPER OBJECTS regkeys --- [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}] -- File: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll -- [59032] -- [18/12/2006 04:16] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}] -- CLSID not found [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}] -- File: C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll -- [408440] -- [17/02/2009 17:11] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}] -- File: C:\Program Files\Java\jre6\bin\jp2ssv.dll -- [35840] -- [09/03/2009 05:18] [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}] -- File: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll -- [73728] -- [09/03/2009 05:18] --- TOOLBAR regkeys --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] no toolbars found --- HKLM\URLSEARCHHOOKS regkeys --- [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks] key not found --- HKCU\URLSEARCHHOOKS regkeys --- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks] {CFBFAE00-17A6-11D0-99CB-00C04FD64497} -- File: C:\WINDOWS\system32\ieframe.dll -- [6066176] -- [20/02/2009 19:18] --- SRCEENSAVER regkey --- [HKEY_CURRENT_USER\Control Panel\Desktop] scrnsave.exe value not found --- ALTERNATESHELL regkey --- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot] File: C:\WINDOWS\system32\cmd.exe -- [399872] -- [14/04/2008 19:02] --- SECURITYPROVIDERS regkey --- [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" File: C:\WINDOWS\system32\msapsspc.dll -- [86016] -- [14/04/2008 19:02] File: C:\WINDOWS\system32\schannel.dll -- [144896] -- [05/12/2008 08:58] File: C:\WINDOWS\system32\digest.dll -- [68608] -- [14/04/2008 19:02] File: C:\WINDOWS\system32\msnsspc.dll -- [290816] -- [14/04/2008 19:02] --- Active Setup\Installed Components regkey --- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] -- File: C:\WINDOWS\system32\ieudinit.exe -- [13824] -- [20/02/2009 12:20] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}] -- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] -- File: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] -- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608555}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2337076a-dd0c-43a6-8d85-54070578a42f}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] -- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{377483c2-e4b4-4ee8-b577-9aed264c8735}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] -- File: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] -- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser .NT -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}] -- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}] -- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}] -- File: regsvr32.exe /s /n /i:U shell32.dll -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}] -- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}] -- File: C:\WINDOWS\system32\ie4uinit.exe -BaseSettings -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}] -- File: c:\WINDOWS\system32\Rundll32.exe c:\WINDOWS\system32\mscories.dll,Install -- [?] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{96543d59-497a-4801-a1f3-5936aacaf7b1}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{f15ee071-deb7-4cbb-951f-431c98338d8e}] -- filepath not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F5776D81-AE53-4935-8E84-B0B283D8BCEF}] -- filepath not found |
#35
|
||||
|
||||
RegLooks continued
--- Services regkey ---
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\CCALib8] -- File: C:\Program Files\Canon\CAL\CALMAIN.exe -- [96370] -- [31/01/2007 15:55] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdr4_xp] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Cdralw2k] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\cdudf_xp] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DVDVRRdr_xp] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\dvd_2K] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\JavaQuickStarterService] -- File: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Lavasoft Ad-Aware Service] -- File: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Lbd] -- File: system32\DRIVERS\Lbd.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mbr] -- File: \??\C:\DOCUME~1\Dad\LOCALS~1\Temp\mbr.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\mmc_2K] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\P1120VID] -- File: system32\DRIVERS\P1120Vid.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\pwd_2k] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\SiSide] -- File: SYSTEM32\DRIVERS\siside.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\swwd] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\TomTomHOMEService] -- File: C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe -- [92008] -- [18/03/2009 02:03] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\UdfReadr_xp] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\UimBus] -- File: system32\DRIVERS\UimBus.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\Uim_IM] -- File: System32\Drivers\Uim_IM.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\VXD] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\WDMCAPI] -- File: System32\DRIVERS\WDMCAPI.sys -- [?] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{95D93F63-EC12-49F3-9090-0C6830F41485}] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{A3E79A54-9234-40AD-B57A-12D7D2824FE7}] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{C03DF779-8F66-40B5-8BEB-286C881E0283}] -- filepath not found [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\{CB6E84C7-4EC0-4376-987C-3D3717EB0D81}] -- filepath not found --- SAFEBOOT MINIMAL SERVICES --- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal Lavasoft Ad-Aware Service {533C5B84-EC70-11D2-9505-00C04F79DEAF} --- SAFEBOOT Network SERVICES --- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Network DnsCache Lavasoft Ad-Aware Service --- BOOTEXECUTE regkey --- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager] "BootExecute"= autocheck autochk *\0lsdelete\0\0 --- PENDINGFILERENAMEOPERATIONS regkey --- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Session Manager] PendingFileRenameOperations key not found --- WOW-CMDLINE regkeys --- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\WOW] "cmdline" = %SystemRoot%\system32\ntvdm.exe "cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386 --- NETSVCS regkey --- [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS 0WmdmPmSN --- DNS SERVER regkeys --- no "NameServer" values found --- File associations --- .BAT files: ("%1" %*) .COM files: ("%1" %*) .EXE files: ("%1" %*) .HLP files: (%SystemRoot%\System32\winhlp32.exe %1) .INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1) .INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1) .JS files: (%SystemRoot%\System32\WScript.exe "%1" %*) .PIF files: ("%1" %*) .REG files: (regedit.exe "%1") .SCR files: ("%1" /S) .TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1) .VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*) --- STARTUP FOLDERS --- C:\Documents and Settings\Dad\Menu Start\Programma's\Opstarten\desktop.ini -- [84] -- [17/11/2003 22:46] C:\Documents and Settings\All Users\Menu Start\Programma's\Opstarten\desktop.ini -- [84] -- [17/11/2003 22:46] --- TASK SCHEDULER JOBS --- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job -- [472] -- [08/05/2009 19:52] Scan completed: 10/05/2009 18:34:01.15 FINISHED ++++++++++++++++++++++++++++++ BTW, thanks a lot for your help. It's greatly appreciated. ![]() Regards Graham |
#36
|
||||
|
||||
Let's go with a scan that also can effect repairs it sees necessary, instead of just these analysis views.
Download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to combi.com, then click the renamed combi.com to run that scan. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. |
#37
|
||||
|
||||
Combofix scan
Here is the log from the ComboFix scan. There seems to be a lot of Dutch in here -- shout if there's something you need translated.
ComboFix 09-05-11.01 - Dad 11/05/2009 19:52.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.31.1043.18.2047.1657 [GMT 2:00] Gestart vanuit: c:\documents and settings\Dad\Bureaublad\Combi.com . (((((((((((((((((((( Bestanden Gemaakt van 2009-04-11 to 2009-05-11 )))))))))))))))))))))))))))))) . 2009-05-11 15:21 . 2009-05-11 15:21 108 ---ha-w c:\windows\system32\x10prod.sys 2009-05-07 17:14 . 2009-05-07 17:14 71680 ----a-w C:\mbr.exe 2009-05-04 17:59 . 2009-05-04 18:01 -------- d-----w C:\rsit 2009-05-04 14:25 . 2001-09-06 19:27 5632 ----a-w c:\windows\system32\ptpusb.dll 2009-05-04 14:25 . 2008-04-13 18:45 15104 -c--a-w c:\windows\system32\dllcache\usbscan.sys 2009-05-04 14:25 . 2008-04-13 18:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys 2009-05-04 14:25 . 2008-04-14 17:02 159232 ----a-w c:\windows\system32\ptpusd.dll 2009-05-03 13:40 . 2009-05-03 13:40 -------- d-----w c:\program files\Trend Micro 2009-05-03 12:14 . 2009-05-03 12:14 -------- d-----w c:\documents and settings\Dad\Application Data\Malwarebytes 2009-05-03 12:14 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-05-03 12:14 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-05-03 12:14 . 2009-05-03 12:14 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-05-03 12:14 . 2009-05-03 12:14 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-05-03 12:04 . 2009-05-03 12:04 -------- d-----w c:\program files\Windows Installer Clean Up 2009-05-03 12:03 . 2009-05-03 12:03 -------- d-----w c:\program files\MSECACHE 2009-04-28 12:44 . 2009-05-11 15:22 -------- d-----w c:\documents and settings\Joy\Tracing 2009-04-26 14:10 . 2009-05-08 21:21 -------- d-----w c:\documents and settings\Dad\Tracing 2009-04-26 14:07 . 2009-04-26 14:07 -------- d-----w c:\program files\Windows Live SkyDrive 2009-04-26 13:58 . 2009-04-26 13:58 -------- d-----w c:\program files\Common Files\Windows Live 2009-04-16 17:19 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe 2009-04-16 17:19 . 2009-03-06 14:23 285696 -c----w c:\windows\system32\dllcache\pdh.dll 2009-04-16 17:19 . 2009-02-09 11:27 111104 -c----w c:\windows\system32\dllcache\services.exe 2009-04-16 17:19 . 2009-02-09 10:56 401408 -c----w c:\windows\system32\dllcache\rpcss.dll 2009-04-16 17:19 . 2009-02-09 10:56 473600 -c----w c:\windows\system32\dllcache\fastprox.dll 2009-04-16 17:19 . 2009-02-09 10:56 684544 -c----w c:\windows\system32\dllcache\advapi32.dll 2009-04-16 17:19 . 2009-02-09 10:56 734208 -c----w c:\windows\system32\dllcache\lsasrv.dll 2009-04-16 17:19 . 2009-02-09 10:56 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll 2009-04-16 17:19 . 2009-02-09 10:56 735744 -c----w c:\windows\system32\dllcache\ntdll.dll 2009-04-16 17:14 . 2008-04-21 21:16 218624 -c----w c:\windows\system32\dllcache\wordpad.exe . ((((((((((((((((((((((((((((((((((((((( Find3M Rapport )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-05-11 17:38 . 2008-08-28 07:41 -------- d-----w c:\program files\xnews 2009-05-10 18:35 . 2007-02-28 21:25 -------- d-----w c:\program files\Mozilla Thunderbird 2009-04-26 14:07 . 2006-04-28 09:48 -------- d-----w c:\program files\Microsoft 2009-04-26 14:06 . 2008-04-09 19:10 -------- d-----w c:\program files\Windows Live 2009-04-24 17:53 . 2009-02-14 15:24 15688 ----a-w c:\windows\system32\lsdelete.exe 2009-04-24 17:52 . 2009-02-13 18:52 64160 ----a-w c:\windows\system32\drivers\Lbd.sys 2009-04-17 08:48 . 2003-11-17 21:32 84304 ----a-w c:\windows\system32\perfc013.dat 2009-04-17 08:48 . 2003-11-17 21:32 475050 ----a-w c:\windows\system32\perfh013.dat 2009-04-11 12:31 . 2006-12-07 19:29 -------- d-----w c:\program files\Java 2009-04-04 14:52 . 2009-04-04 14:52 -------- d-----w c:\program files\TomTom International B.V 2009-04-04 14:50 . 2008-12-22 18:34 -------- d-----w c:\program files\TomTom HOME 2 2009-03-28 13:01 . 2006-08-31 18:39 -------- d-----w c:\program files\QuickTime 2009-03-28 12:58 . 2006-12-07 19:27 -------- d-----w c:\program files\LimeWire 2009-03-28 12:56 . 2007-06-03 15:56 -------- d-----w c:\program files\DigiTech 2009-03-28 12:35 . 2006-04-28 21:30 -------- d-----w c:\program files\Windows Media Connect 2 2009-03-23 16:56 . 2006-04-30 06:54 82856 ----a-w c:\documents and settings\Joy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-22 11:19 . 2009-03-22 11:16 -------- d-----w c:\program files\Canon 2009-03-22 11:11 . 2009-03-22 11:11 -------- d-----w c:\program files\Common Files\Canon 2009-03-13 21:05 . 2006-04-28 20:51 82856 ----a-w c:\documents and settings\Dad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-03-09 03:19 . 2009-02-07 10:34 410984 ----a-w c:\windows\system32\deploytk.dll 2009-03-06 14:23 . 2003-12-22 23:20 285696 ----a-w c:\windows\system32\pdh.dll 2009-03-03 00:16 . 2006-02-24 13:22 826368 ----a-w c:\windows\system32\wininet.dll 2009-02-22 18:51 . 2009-02-22 18:51 56 ---ha-w c:\windows\system32\ezsidmv.dat 2009-02-20 17:18 . 2004-08-04 08:03 78336 ----a-w c:\windows\system32\ieencode.dll 2009-02-12 13:26 . 2006-04-29 11:07 82856 ----a-w c:\documents and settings\Akadia\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-01-28 19:49 . 2008-01-28 19:50 774144 ----a-w c:\program files\RngInterstitial.dll . ((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))) ) . . *Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232] "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-03-18 251240] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536] "Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-24 516440] "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\M SConfig.exe" [2008-04-14 172032] "NVIDIA Remote Control Panel"="NVAREM.EXE" - c:\windows\system32\nvarem.exe [2003-07-30 139264] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360] "NvMediaCenter"="c:\windows\System32\NVMCTRAY. DLL" [2003-07-28 49152] c:\documents and settings\Joy\Menu Start\Programma's\Opstarten\ OneNote 2007 Schermopname en Snel starten.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Start^Programma's^Opstarten^Adobe Reader Speed Launch.lnk] path=c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\Adobe Reader Speed Launch.lnk backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Dad^Menu Start^Programma's^Opstarten^OneNote 2007 Schermopname en Snel starten.lnk] path=c:\documents and settings\Dad\Menu Start\Programma's\Opstarten\OneNote 2007 Schermopname en Snel starten.lnk backup=c:\windows\pss\OneNote 2007 Schermopname en Snel starten.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Dad^Menu Start^Programma's^Opstarten^OneNote-inhoudsopgave.onetoc2] path=c:\documents and settings\Dad\Menu Start\Programma's\Opstarten\OneNote-inhoudsopgave.onetoc2 backup=c:\windows\pss\OneNote-inhoudsopgave.onetoc2Startup [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Windows Media Player\\wmplayer.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\StubInstaller.exe"= "c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager "c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager "c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List] "26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [13/02/2009 20:52 64160] R0 viaide1;viaide1;c:\windows\system32\drivers\viaide xp.sys [22/12/2003 22:50 6144] R0 viasraid;viasraid;c:\windows\system32\drivers\vias raid.sys [22/12/2003 22:50 75904] R0 WDMCAPI;ISDN PCI CAPI;c:\windows\system32\drivers\WDMCAPI.sys [28/04/2006 11:41 587776] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 23:34 953168] R2 nvTUNEP;nVidia WDM TVTuner;c:\windows\system32\drivers\NVTUNEP.SYS [28/04/2006 11:45 20580] R2 nvtvSND;nVidia WDM TVAudio Crossbar;c:\windows\system32\drivers\NVTVSND.SYS [28/04/2006 11:45 22644] R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [18/03/2009 02:03 92008] R3 P1120VID;Creative WebCam NX Ultra;c:\windows\system32\drivers\P1120Vid.sys [21/05/2006 22:47 759050] R3 WDMWANMP;NDIS WAN miniport;c:\windows\system32\drivers\wdmwanmp.sys [28/04/2006 11:41 26112] S3 CEUSBAUD;DigiTech USB MIDI Driver;c:\windows\system32\drivers\ceusbaud.sys [01/11/2003 22:19 17920] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{7d5c4f6a-d28d-11dd-b49f-487444737531}] \Shell\AutoRun\command - K:\InstallTomTomHOME.exe . Inhoud van de 'Gedeelde Taken' map 2009-05-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:52] . . ------- Bijkomende Scan ------- . uStart Page = hxxp://www.hotsheet.com/ uInternet Connection Wizard,ShellNext = hxxp://www.standbyservice.nl/ uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000 DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab DPF: {15589FA1-C456-11CE-BF01-000000000000} - hxxp://www.errornuker.com/products/errn2004/installers/default/ErrorNukerInstaller.exe DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} DPF: {BC0AE9E6-E549-4554-A222-EA083A894683} - hxxp://a01-b01.mypicturetown.com/P2PwebCmdController/x/Upld_47.CAB . ************************************************** ************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-11 19:59 Windows 5.1.2600 Service Pack 3 NTFS scannen van verborgen processen ... scannen van verborgen autostart items ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run NVIDIA Remote Control Panel = NVAREM.EXE /S /Q /R /L /A1 /B0 /C0 /D2 /E0???????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????????????????????????????? ?????????????????????????? ????????? ?? ?????????????????? !"#$%&' scannen van verborgen bestanden ... Scan succesvol afgerond verborgen bestanden: 0 ************************************************** ************************ [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\U lSata] "ImagePath"="SYSTEM32\DRIVERS\ulsata.sys\00lled: \00.\0d\0a\00Audio (Multi) -" . --------------------- DLLs Geladen Onder Lopende Processen --------------------- - - - - - - - > 'explorer.exe'(2976) c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Voltooingstijd: 2009-05-11 20:02 ComboFix-quarantined-files.txt 2009-05-11 18:02 Pre-Run: 82,711,216,128 bytes beschikbaar Post-Run: 84,698,034,176 bytes beschikbaar WindowsXP-KB310994-SP2-Home-BootDisk-NLD.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOW S [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Micro soft Windows XP Home Edition" /fastdetect /NoExecute=OptIn 181 --- E O F --- 2009-04-29 20:00 |
#38
|
||||
|
||||
At the end of the ComboFix log some additional but still unlear info shows related to those driver changes.
I would like to check a backup copy ComboFix made of the system hive file there. Navigate to the following hilighted file, and zip a copy of it: C:\WINDOWS\ERDNT\Hiv-backup\system Then just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zipped file on your computer. You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded. |
#39
|
||||
|
||||
At the end of the ComboFix log is some additional but still unclear info showing, related to those driver changes.
I would like to check a backup copy ComboFix made of the system hive file there. Navigate to the following hilighted file, and zip a copy of it: C:\WINDOWS\ERDNT\Hiv-backup\system Then just go here, press new topic, fill in the needed details and just give a link to your post back here. Then press the browse button and then navigate to & select that zipped file on your computer. You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded. |
#40
|
||||
|
||||
ComboFix's backup of system.exe file
I have linked the post on spykiller.co.uk to this thread.
Last edited by Bonksie; May 12th, 2009 at 06:49 PM. |
#41
|
||||
|
||||
Very unusual. What make and model is this computer please? Just asking to verify this is a cloned install, such as many large manufacturers like to do.
As for the hive info you uploaded, these show: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\S iSide] "ImagePath"=SYSTEM32\DRIVERS\siside.sysNST\Control Set001\Services [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\U lSata] "ImagePath"=SYSTEM32\DRIVERS\ulsata.syslled: . Audio (Multi) - [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\v iaide1] "ImagePath"=SYSTEM32\DRIVERS\viaidexp.sysT\Control Set001\Services\via [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\v iaide1] "ImagePath"=SYSTEM32\DRIVERS\viasraid.sysCriticalD eviceDatabase\viai Boot device drivers with unseen information added to their values. Why I am just not sure right now. We can use a Regedit or other method to correct those, but I sure would like to know what created them before attempting that. If it is not just due to some corruption occurring to those entries, then altering them nay lead to problems. Let me check on this further, before we decide on any further action here. |
#42
|
||||
|
||||
Does this help?
Sky Computers Europe Model MS-6743 Processor x86 Family 15 Model 2 Stepping 9 GenuineIntel ~2600 Mhz BIOS-Phoenix Technologies, LTD 6.00 PG, 25/06/2003 SMBIOS-version 2.2 The computer was bought at a large department store affiliated with Dixons Electronics. |
#43
|
||||
|
||||
The info just suggests that Windows copy is "imaged" onto the drive, which occurs with large production systems. Just really unclear what needs to be corrected there yet. These also from the earlier RootRepal log - related to modem drivers I believe:
Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_READ] Process: System Address: 0x00000000 Size: - Object: Hidden Code [Driver: WDMCAPI, IRP_MJ_WRITE] Process: System Address: 0x00000000 Size: - Go here and download USEC.at's radix_installer_trial.zip. Then unzip that and click the radixgui.exe to open the scan display. Then without making any changes click the Check button to start the scan. Once it has completed click the Save Log button and save that to a location you can return to. Then click the "X" to close the Radix scanner. !!!Caution - the Radix scanner has many settings and options, including many that can cause quick and permanent corruption to your operating system. Avoid the temptation to try any other options, scans or settings when using it. That log will be too large for forum posting, so zip a copy of it and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files -Bonksie/cth/rdx" as the email Subject. |
#44
|
||||
|
||||
The Radix scan has been zipped and sent to you.
Jeez, don't you ever sleep? |
#45
|
||||
|
||||
Hmm - other than sorry for not noticing you already had Radix, that log didn't get through email for some reason. Given that, I'll go back and check your earlier log you already sent, compared to this current info.
|
![]() |
Bookmarks |
«
Previous Topic
|
Next Topic
»
|
|
![]() |
||||
Topic | Topic Starter | Forum | Replies | Last Post |
computer runs slow | dnfrei | Malware Removal | 68 | September 26th, 2007 04:13 AM |
I need help my computer runs so slow | alice42c | Malware Removal | 4 | October 22nd, 2005 06:07 PM |
HJT log Computer runs really slow.. | Albo | Malware Removal | 1 | September 22nd, 2005 03:31 AM |
Computer is slow to start up and runs slow too | mlpjd | Windows XP | 6 | October 8th, 2004 08:09 PM |
Computer runs slow | DW22 | Windows XP | 7 | December 15th, 2002 03:07 PM |
All times are GMT +1. The time now is 08:04 PM.